{"url":"http://public2.vulnerablecode.io/api/packages/519811?format=json","purl":"pkg:composer/pterodactyl/panel@0.6.0","type":"composer","namespace":"pterodactyl","name":"panel","version":"0.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.12.1","latest_non_vulnerable_version":"1.12.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38126?format=json","vulnerability_id":"VCID-4bxk-fxcd-j7ew","summary":"Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent.  While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could potentially authenticate against a user's account; assuming they are able to discover the account's email address or username separately. This problem has been patched in version 1.11.8. There are no workarounds at this time. There is not a direct vulnerability within the software as it relates to logs generated by intermediate components such as web servers or Layer 7 proxies. Updating to `v1.11.8` or adding the linked patch manually are the only ways to avoid this problem. As this vulnerability relates to historical logging of sensitive data, users who have ever disabled 2FA on a Panel (self-hosted or operated by a company) should change their passwords and consider enabling 2FA if it was left disabled. While it's unlikely that their account swill be compromised by this vulnerability, it's not impossible. Panel administrators should consider clearing any access logs that may contain sensitive data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49762","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11207","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49762"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49762","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49762"},{"reference_url":"https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4","reference_id":"75b59080e2812ced677dab516222b2a3bb34e3a4","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/"}],"url":"https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4"},{"reference_url":"https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1","reference_id":"8be2b892c3940bdc0157ccdab16685a72d105dd1","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/"}],"url":"https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1"},{"reference_url":"https://github.com/advisories/GHSA-c479-wq8g-57hr","reference_id":"GHSA-c479-wq8g-57hr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c479-wq8g-57hr"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr","reference_id":"GHSA-c479-wq8g-57hr","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T17:20:24Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371945?format=json","purl":"pkg:composer/pterodactyl/panel@1.11.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.8"}],"aliases":["CVE-2024-49762","GHSA-c479-wq8g-57hr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4bxk-fxcd-j7ew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93217?format=json","vulnerability_id":"VCID-72dz-ft2x-b7g7","summary":"Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68954","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01375","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68954"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5","reference_id":"2bd9d8baddb0e0606e4a9d5be402f48678ac88d5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/"}],"url":"https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68954","reference_id":"CVE-2025-68954","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68954"},{"reference_url":"https://github.com/advisories/GHSA-8c39-xppg-479c","reference_id":"GHSA-8c39-xppg-479c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c39-xppg-479c"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c","reference_id":"GHSA-8c39-xppg-479c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.0","reference_id":"v1.12.0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:23:44Z/"}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36385?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0"}],"aliases":["CVE-2025-68954","GHSA-8c39-xppg-479c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-72dz-ft2x-b7g7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49610?format=json","vulnerability_id":"VCID-7e7n-exfe-cuc5","summary":"Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34067","reference_id":"","reference_type":"","scores":[{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67635","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34067"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2","reference_id":"0dad4c5a488661f9adc27dd311542516d9bfa0f2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/"}],"url":"https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2"},{"reference_url":"https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16","reference_id":"1172d71d31561c4e465dabdf6b838e64de48ad16","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/"}],"url":"https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34067","reference_id":"CVE-2024-34067","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34067"},{"reference_url":"https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817","reference_id":"f671046947e4695b5e1c647df79305c1cefdf817","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/"}],"url":"https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817"},{"reference_url":"https://github.com/advisories/GHSA-384w-wffr-x63q","reference_id":"GHSA-384w-wffr-x63q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-384w-wffr-x63q"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q","reference_id":"GHSA-384w-wffr-x63q","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T20:23:13Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30895?format=json","purl":"pkg:composer/pterodactyl/panel@1.11.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bxk-fxcd-j7ew"},{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.6"}],"aliases":["CVE-2024-34067","GHSA-384w-wffr-x63q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7e7n-exfe-cuc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98241?format=json","vulnerability_id":"VCID-ak5j-hyqv-83gh","summary":"Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49132","reference_id":"","reference_type":"","scores":[{"value":"0.12525","scoring_system":"epss","scoring_elements":"0.94094","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49132"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49132","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49132"},{"reference_url":"https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0","reference_id":"24c82b0e335fb5d7a844226b08abf9f176e592f0","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/"}],"url":"https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py","reference_id":"CVE-2025-49132","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52341.py"},{"reference_url":"https://github.com/advisories/GHSA-24wv-6c99-f843","reference_id":"GHSA-24wv-6c99-f843","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-24wv-6c99-f843"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843","reference_id":"GHSA-24wv-6c99-f843","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.11.11","reference_id":"v1.11.11","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-20T17:34:12Z/"}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.11.11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378801?format=json","purl":"pkg:composer/pterodactyl/panel@1.11.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.11.11"}],"aliases":["CVE-2025-49132","GHSA-24wv-6c99-f843"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ak5j-hyqv-83gh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/309215?format=json","vulnerability_id":"VCID-mmyj-h9sj-5yf9","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1020002","reference_id":"","reference_type":"","scores":[{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60591","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1020002"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v0.7.14","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/releases/tag/v0.7.14"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1020002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1020002"},{"reference_url":"https://github.com/advisories/GHSA-fg52-xjfc-9rh8","reference_id":"GHSA-fg52-xjfc-9rh8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fg52-xjfc-9rh8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/386212?format=json","purl":"pkg:composer/pterodactyl/panel@0.7.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bxk-fxcd-j7ew"},{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-7e7n-exfe-cuc5"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-p8uz-n8jm-jbgr"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"},{"vulnerability":"VCID-yrv8-dva5-zfee"},{"vulnerability":"VCID-znmd-dupu-wybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@0.7.14"}],"aliases":["CVE-2019-1020002","GHSA-fg52-xjfc-9rh8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mmyj-h9sj-5yf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212591?format=json","vulnerability_id":"VCID-nzx8-neth-53f9","summary":"Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change","references":[{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0"},{"reference_url":"https://github.com/advisories/GHSA-hr7j-63v7-vj7g","reference_id":"GHSA-hr7j-63v7-vj7g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hr7j-63v7-vj7g"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g","reference_id":"GHSA-hr7j-63v7-vj7g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39216?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1"}],"aliases":["GHSA-hr7j-63v7-vj7g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nzx8-neth-53f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206613?format=json","vulnerability_id":"VCID-p8uz-n8jm-jbgr","summary":"Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41273","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30124","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41273"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41273","reference_id":"CVE-2021-41273","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41273"},{"reference_url":"https://github.com/advisories/GHSA-wwgq-9jhf-qgw6","reference_id":"GHSA-wwgq-9jhf-qgw6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wwgq-9jhf-qgw6"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6","reference_id":"GHSA-wwgq-9jhf-qgw6","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18051?format=json","purl":"pkg:composer/pterodactyl/panel@1.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bxk-fxcd-j7ew"},{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-7e7n-exfe-cuc5"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"},{"vulnerability":"VCID-yrv8-dva5-zfee"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.6.6"}],"aliases":["CVE-2021-41273","GHSA-wwgq-9jhf-qgw6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p8uz-n8jm-jbgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70831?format=json","vulnerability_id":"VCID-qkxj-7v3h-4uf3","summary":"Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26016","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20506","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26016"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26016","reference_id":"CVE-2026-26016","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26016"},{"reference_url":"https://github.com/advisories/GHSA-g7vw-f8p5-c728","reference_id":"GHSA-g7vw-f8p5-c728","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7vw-f8p5-c728"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728","reference_id":"GHSA-g7vw-f8p5-c728","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.1","reference_id":"v1.12.1","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:43Z/"}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39216?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.1"}],"aliases":["CVE-2026-26016","GHSA-g7vw-f8p5-c728"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qkxj-7v3h-4uf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/123656?format=json","vulnerability_id":"VCID-r8xg-6ft5-v3hu","summary":"Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69197","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01639","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69197"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf","reference_id":"032bf076d92bb2f929fa69c1bac1b89f26b8badf","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/"}],"url":"https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69197","reference_id":"CVE-2025-69197","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69197"},{"reference_url":"https://github.com/advisories/GHSA-rgmp-4873-r683","reference_id":"GHSA-rgmp-4873-r683","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rgmp-4873-r683"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683","reference_id":"GHSA-rgmp-4873-r683","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.0","reference_id":"v1.12.0","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:23:37Z/"}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36385?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0"}],"aliases":["CVE-2025-69197","GHSA-rgmp-4873-r683"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r8xg-6ft5-v3hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212459?format=json","vulnerability_id":"VCID-u1et-rr8n-hbhq","summary":"Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”","references":[{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/1570ff250939b75b3ba8cd03e5025d8293544ed4"},{"reference_url":"https://github.com/advisories/GHSA-mgr9-6c2j-jxrq","reference_id":"GHSA-mgr9-6c2j-jxrq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mgr9-6c2j-jxrq"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq","reference_id":"GHSA-mgr9-6c2j-jxrq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-mgr9-6c2j-jxrq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36385?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0"}],"aliases":["GHSA-mgr9-6c2j-jxrq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u1et-rr8n-hbhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/123742?format=json","vulnerability_id":"VCID-xyex-9yf8-zuhn","summary":"Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69198","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19725","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69198"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607","reference_id":"09caa0d4995bd924b53b9a9e9b4883ac27bd5607","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/"}],"url":"https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69198","reference_id":"CVE-2025-69198","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69198"},{"reference_url":"https://github.com/advisories/GHSA-jw2v-cq5x-q68g","reference_id":"GHSA-jw2v-cq5x-q68g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jw2v-cq5x-q68g"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g","reference_id":"GHSA-jw2v-cq5x-q68g","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:10Z/"}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36385?format=json","purl":"pkg:composer/pterodactyl/panel@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.12.0"}],"aliases":["CVE-2025-69198","GHSA-jw2v-cq5x-q68g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xyex-9yf8-zuhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207434?format=json","vulnerability_id":"VCID-yrv8-dva5-zfee","summary":"Insufficient Session Expiration in Pterodactyl API","references":[{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/dfa329ddf242908b60e22e3340ea36359eab1ef4","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/dfa329ddf242908b60e22e3340ea36359eab1ef4"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.7.0","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.7.0"},{"reference_url":"https://github.com/advisories/GHSA-7v3x-h7r2-34jv","reference_id":"GHSA-7v3x-h7r2-34jv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7v3x-h7r2-34jv"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv","reference_id":"GHSA-7v3x-h7r2-34jv","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18743?format=json","purl":"pkg:composer/pterodactyl/panel@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bxk-fxcd-j7ew"},{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-7e7n-exfe-cuc5"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.7.0"}],"aliases":["GHSA-7v3x-h7r2-34jv","GMS-2022-28"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yrv8-dva5-zfee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/343817?format=json","vulnerability_id":"VCID-znmd-dupu-wybz","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41176","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37741","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41176"},{"reference_url":"https://github.com/pterodactyl/panel","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel"},{"reference_url":"https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"},{"reference_url":"https://github.com/pterodactyl/panel/releases/tag/v1.6.3","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/releases/tag/v1.6.3"},{"reference_url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41176","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41176"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382199?format=json","purl":"pkg:composer/pterodactyl/panel@1.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4bxk-fxcd-j7ew"},{"vulnerability":"VCID-72dz-ft2x-b7g7"},{"vulnerability":"VCID-7e7n-exfe-cuc5"},{"vulnerability":"VCID-ak5j-hyqv-83gh"},{"vulnerability":"VCID-nzx8-neth-53f9"},{"vulnerability":"VCID-p8uz-n8jm-jbgr"},{"vulnerability":"VCID-qkxj-7v3h-4uf3"},{"vulnerability":"VCID-r8xg-6ft5-v3hu"},{"vulnerability":"VCID-u1et-rr8n-hbhq"},{"vulnerability":"VCID-xyex-9yf8-zuhn"},{"vulnerability":"VCID-yrv8-dva5-zfee"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@1.6.3"}],"aliases":["CVE-2021-41176","GHSA-m49f-hcxp-6hm6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-znmd-dupu-wybz"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pterodactyl/panel@0.6.0"}